Red Hat Product Errata RHSA-2015:1740 - Security Advisory

Issued:: 2015-09-07
Updated:: 2015-09-07

RHSA-2015:1740 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: qemu-kvm-rhev security fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated qemu-kvm-rhev packages that fix one security issue and one bug are
now available for Red Hat Enterprise Virtualization.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the
user-space component for running virtual machines using KVM in environments
managed by Red Hat Enterprise Virtualization Manager.

An information leak flaw was found in the way QEMU's RTL8139 emulation
implementation processed network packets under RTL8139 controller's C+ mode
of operation. An unprivileged guest user could use this flaw to read up to
65 KB of uninitialized QEMU heap memory. (CVE-2015-5165)

Red Hat would like to thank the Xen project for reporting this issue.
Upstream acknowledges Donghai Zhu of Alibaba as the original reporter.

All users of qemu-kvm-rhev are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue. After
installing this update, shut down all running virtual machines. Once all
virtual machines have shut down, start them again for this update to take
effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Virtualization 3 for RHEL 6 x86_64

Fixes

BZ - 1248760 - CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140)

CVEs

CVE-2015-5165

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 3 for RHEL 6

SRPM
qemu-kvm-rhev-0.12.1.2-2.479.el6_7.1.src.rpm	SHA-256: fc2f9812979035336f141b7e0301cec0f5864e9c97d31121206f6b8e45e3ef48
x86_64
qemu-img-rhev-0.12.1.2-2.479.el6_7.1.x86_64.rpm	SHA-256: 30c035203625a7cf68c1d9440dc1cb9335e7760a2f6c9931e1b8a476a52ab599
qemu-kvm-rhev-0.12.1.2-2.479.el6_7.1.x86_64.rpm	SHA-256: a37ab4a3833dfbe055759d17f496282aa2259e91cc01c575ebfc9b79472531dc
qemu-kvm-rhev-debuginfo-0.12.1.2-2.479.el6_7.1.x86_64.rpm	SHA-256: 9e7cc92fdbfdb09ca17d5950599f27bcd1ab94ba6456b60a9cb7bc18f12f46a4
qemu-kvm-rhev-tools-0.12.1.2-2.479.el6_7.1.x86_64.rpm	SHA-256: e5346a88d439694e6c60515062f4445c79b2b98966b4e7fd3456253b1cdff89d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories